[dns-operations] A Case Against DNSSEC (A Matasano Miniseries)

Gadi Evron ge at linuxbox.org
Tue Apr 3 04:12:32 UTC 2007 

http://www.matasano.com/log/754/a-case-against-dnssec-a-matasano-miniseries/

This from the perspective of a security practitioner. I am just
forwarding, not stating my own opinion.

-----
The head of the Internet Architecture Board has declared DNSSEC a
success. The DNSSEC RFCs are standards-tracked. The DNS Extensions Working
Group is winding down. Are we finally going to have a secure domain name
system?

No. I.ll tell you why I don.t think so:

    *

      I.ll argue that secure DNS doesn.t solve a real problem.
    *

      I.ll argue that it.s so complicated and expensive that nobody will
ever deploy it.
    *

      I.ll argue that it.s actually contrary to the design of the
Internet.
    *

      And, I.ll argue that it.s a huge waste of effort; in fact, that the
struggle to deploy DNSSEC will do more harm than good.

Let me get started. First, what makes you think we need a secure domain
name system?

Because DNS is insecure! Anybody can spoof a DNS response, convincing my
browser that my bank.s website is really running on some mafia-controlled
Linux box in Uzbekistan!

You.re right. DNS is totally insecure. You can.t trust results coming from
DNS.

And that.s a problem!

Not really. You don.t need to trust the DNS anymore. Real-world
applications aren.t supposed trust names. At least a few of those
applications really don.t, and they seem to work OK.

Want an example? Take my banking website. You can.t spoof it, even if you
do own up the DNS, because a third party has to cryptographically attest
to my browser that the server has a valid key. Spoofing is prevented at
the application layer, not the DNS.

But not every application does that! We can.t keep moving forward with no
security in such a core part of the Internet infrastructure.

I agree, in principle. The world would be a better place if the DNS was
secure. But in reality, it.s not worth the costs. DNSSEC .- crypto-secured
DNS .- is so complicated, unstable, and expensive that it.s not worth the
cost.

How can you say it.s unstable? Back that argument up with evidence!

I can.t, which is part of my point. After over 12 years of earnest
development, there are still no mainstream deployments of DNSSEC. But I
can read an RFC, compare DNSSEC to other protocols, and predict what the
operator and user experience is going to be. And it seems like a
nightmare.

You know what? I don.t even agree in principle. DNSSEC is a bad thing,
even if it does work.

How could that possibly be?

It violates a fundamental design principle of the Internet.

Nonsense. DNSSEC was designed and endorsed by several of the architects of
the Internet. What principle would they be violating?

The end-to-end argument in system design. It says that you want to keep
the Internet dumb and the applications smart. But DNSSEC does the
opposite. It says, .Applications aren.t smart enough to provide security,
and end-users pay the price. So we.re going to bake security into the
infrastructure..

What.s wrong with that? IPSEC says the same thing!

Look how well that turned out. But IPSEC is at least optional: it.s so
all-or-nothing that the only place anybody thinks to turn it on is VPN
links. But DNSSEC isn.t a VPN tool. It.s an anti-phishing
tool. Everybody.s going to have to deal with it, whether they have better
or simpler ideas for providing security or not .- whether they even need
security or not.

It doesn.t even solve the problem of securing the next wave of
applications. It can.t, because it doesn.t know what those applications
look like. But it.s a pretty safe bet that many of them won.t even use the
DNS.

Everything on the Internet uses DNS. The head of the IAB says so.

The head of the IAB didn.t design AOL Instant Messenger, far and away the
most important messaging application on the Internet. DNS doesn.t tell me
how to find my friends on AIM; AOL.s servers do. AIM isn.t secure right
now, but DNSSEC can.t change that. Only the IM developers can. And they
can do it without DNSSEC.

The head of the IAB didn.t design peer-to-peer file sharing, far and away
the biggest consumer of traffic on the Internet. DNS doesn.t tell me how
to find files on a P2P network: the P2P protocols do. P2P isn.t secure
right now, but DNSSEC can.t change that. Only the P2P developers can. And
they can do it without DNSSEC.

The head of the IAB didn.t design content distribution networks like
Akamai, which power many of the most important websites on the
Internet. Vanilla DNS doesn.t tell me what mirror to fetch content off
of; Akamai.s traffic directors do. I don.t know if Akamai is secure or
not, but I.m pretty sure DNSSEC isn.t the deciding factor.

If you think the future of the Internet involves things like overlay
networks, peer-to-peer distributed systems, or large-scale web
applications like Google and YouTube, you have to ask yourself: where does
DNSSEC fit here? These things are happening independently of DNSSEC. They
have to be: nobody, not even the IETF, thinks DNSSEC is going to go
mainstream in the next 3 years.

There.s more to the Internet than the web. Maybe these people know better
than you do. Some of them have been fighting spam and phishing for over a
decade. What have you done?

Probably not as much as they have. I.m a mercenary. A creepy security
researcher. You probably don.t want to take my word for how to design the
Internet.

But you probably don.t want to take their word for it either. There are
huge financial implications to how the DNS is architected. A lot is at
stake. And despite the billions of dollars spent every year on security,
despite the near universal staffing of security teams at every enterprise
in the Fortune 500, there.s no detectable market demand for DNSSEC.

DNSSEC gets in the way. It distracts us from real problems that need to
get solved. It also substitutes a bunch of IETF people for the judgement
and expertise of the market, which actually has a track record in solving
security problems. Some of the loudest IETF participants have no
qualifications other than willingness to spend time on mailing lists and
at conferences.

You.re an asshole.

Indubitably. But convince me .- wait, no, just convince my readers! .-
that I.m wrong about this. You just heard my case. I.ll repeat it. Then
I.ll go into detail on each point. Again, I.m saying:

    *

      DNSSEC solves a non-problem.
    *

      DNSSEC is too complicated to deploy.
    *

      DNSSEC breaks the Internet.
    *

      DNSSEC wastes time, energy, and money.

If you want to argue, post a comment. I won.t stop you. If you kick my
ass, I.ll put it on the front page. But right now, I think you.re the
opposite of right.

Silence

Hello? You there?

Silence

Oh well. I.d better get writing.
-----

	Gadi.

More information about the dns-operations mailing list